Low — resolveS3Endpoint non-SDK fallback is partition-incorrect
Impact: When the SDK endpoint resolver fails, S3 Tables tables without a vended endpoint get
https://s3.<region>.amazonaws.com, which is wrong for China (amazonaws.com.cn) and GovCloud;
reads then hit the wrong host. Contradicts the URI.h doc-comment claiming it "handles all partitions".
Anchor: src/IO/S3/URI.cpp / DB::S3::resolveS3Endpoint (fallback
return "https://s3." + region + ".amazonaws.com").
Trigger: catalog_type='s3tables', no vended endpoint, SDK ResolveEndpoint fails (init order /
unknown region / SDK regression) on a cn-* or us-gov-* region.
Why defect: Only the success branch is partition-aware; the fallback is not, despite the header comment.
Fix direction: Throw on resolver failure, or make the fallback partition-aware
(cn-* → .amazonaws.com.cn, us-gov-*).
Regression test direction: Force a failing S3EndpointProvider and assert partition-correct host
or thrown exception.
Low — Credential refresh fails open to stale creds when IAM provider returns empty
Impact: On a long-running query where the STS session expires, resolveS3TablesRefreshCredentials
returns nullptr (empty IAM creds), and the consuming S3 client path silently keeps the expired
snapshot, surfacing an opaque S3 auth error instead of a clear catalog/credentials message.
Asymmetric with the initial-attach path, which fails fast with BAD_ARGUMENTS.
Anchor: src/Databases/DataLake/S3TablesCredentialRefresh.cpp / getCatalogIAMCredentials
(returns nullptr) → S3TablesCatalog::getCredentialsConfigurationCallback.
Trigger: Catalog-IAM path (no vended creds), query lifetime crosses session-token expiry,
provider returns empty on refresh.
Why defect: Initial attach throws on empty IAM creds; refresh path returns nullptr (fail-open),
inconsistent error contract for the same fault.
Fix direction: Propagate an explicit exception from the refresh callback when fallback IAM creds
are empty.
Regression test direction: Mock provider returning empty on second call; assert refresh raises an
explicit error instead of silent nullptr.
Low — Warehouse-encoding fallback produces a malformed REST prefix
Impact: Poco::URI::encode(warehouse_, "", ...) with an empty reserved set leaves : and /
unencoded, so the synthesized config.prefix (e.g. arn:aws:s3tables:...:bucket/x) is not properly
percent-encoded and yields broken REST endpoints. Only reached when the catalog config response
omits prefix (AWS S3 Tables always supplies it, so AWS is unaffected; non-AWS / mock /
misconfigured catalogs are).
Anchor: src/Databases/DataLake/S3TablesCatalog.cpp constructor (if (config.prefix.empty()) fallback).
Trigger: config endpoint returns no prefix.
Why defect: ARN must be encoded with :// escaped for the prefix path; the empty reserved set
does not escape them.
Fix direction: Pass the reserved set (":/") to Poco::URI::encode, or encode the ARN the way
AWS expects.
Regression test direction: Unit test the fallback with an ARN-style warehouse and assert
%3A/%2F escaping.
Describe the bug